London Stock Exchange Served Malware

A malicious ad served on the LSE’s site caused problems less than 48 hours after a technical glitch stopped trading

The London Stock Exchange can’t seem to catch a break. Less than 48 hours after a technical glitch stopped all trading, Google flagged the stock exchange’s website for malware.

Users trying to get to londonstockexchange.com via Google Chrome or Mozilla Firefox were shown a warning page on 27 February that warned the site may contain malware. Chrome and Firefox both use Google’s malware blocklist to flag suspected sites.

Drive-by attack

Merely viewing the stock exchange’s main homepage caused malware to be downloaded in a drive-by attack, Paul Mutton, an information security consultant based in Wiltshire, England, wrote on the High Severity security blog. He was alerted to the issue by some users on Twitter.

Google’s Safe Browsing feature provides diagnostic information for the site’s malware history. “Of the 281 pages we tested on the site over the past 90 days, 65 page(s) resulted in malicious software being downloaded and installed without user consent,” the diagnostic page read on 27 February. The diagnostic page claimed to have found two scripting exploits, two Trojans and one exploit. A successful infection resulted in an average of five new processes on the compromised machine, according to the page.

The problem turned out to be a malicious advertisement being served up by a third-party ad network, according to the stock exchange. The malicious advertisement has been removed and the exchange was working with Google to take down the warning message, LSE said.

The London Stock Exchange site itself has not hosted any malware, nor has it been used to infect other sites, according to the diagnostic page. With “malvertising”, cyber-criminals can easily use a large number of legitimate websites to download malware in the background without directly compromising the sites, but indirectly via a malicious ad on a third-party network.

Malvertising have become a primary attack vector, according to Anup Ghosh, founder and chief scientist of Invincea.

In this case, the ad was being served up by third-party provider Unanimis and Borsa Italiana, and the malware was actually hosted on stripli.com, a site that Google had already flagged as being suspicious, according to diagnostic page.

Fake antivirus program

Compromised users were hit by a fake antivirus program which appeared in the system tray and prevented other processes such as Task Manager from running, Mutton said. The malware also changed the wallpaper to a text background that warned in bright red letters, “Warning! Your’re in danger! Your computer is infected with spyware!”

The malware affected only the site’s banner advertisements and did not compromise the rest of the stock exchange’s website, according to Unanismis. “The affected advertisements have been removed and all sites continue to operate normally,” the company said. “For clarity the LSE website was not impacted by this malware, not did it propagate malware,” according to the statement.

A London Stock Exchange spokesperson told Mutton it was inaccurate to claim the stock exchange site was propagating malware since users had to click through to be infected, according to an earlier version of Mutton’s post.

Mutton disagreed because his computer was compromised just by accessing the page without clicking on anything. Furthermore, Mutton asserted it does not matter where the malware executable is actually hosted. “If their website includes content from other sites, which is designed to propagate malware, then transitively, their site will also be propagating malware,” said Mutton.

While the link for the main homepage does not appear to be flagged on the Google search results for the stock exchange as of 28 February, the link for AIM, the London Stock Exchange’s international market for smaller companies, still displays the “This site may harm your computer” warning.

With the malvertisement removed, Google’s Safe Browsing page on 28 February reported just one malicious page out of five tested.

Technical problems

The stock exchange has had a number of technical problems recently. The exchange’s migration to the new SUSE Linux platform caused problems for brokers, and on 25 February, a technical glitch in how pricing is displayed caused all trading to be put on hold for hours.

The LSE was not the only victim of this particular malvertisement, as it has affected seven other domains, including reviewcentre.com, a product reviews site for a variety of products and services including laptops, hotels and cars, and viamichelin.com, a travel planning site for the United Kingdom and Europe, according to the suspected malware’s Safe Browsing page provided by Google.

Web security firm WebSense also said that other sites using Unanimis had been hit by the same malicious ad over the weekend, including movie site Myvue and auto trading site Autotrader. There were also reports that the UK-version of eBay was affected, according to WebSense. The Safe Browsing page for ebay.co.uk said six malicious pages had been found, but did not list Unanimis as the intermediary distributing the malware.

In the case of AutoTrader, the site downloaded ads from its service providers while the user was browsing the site. When the malicious advertisement was loaded, the site redirected the user, and then again to the site that actually contained an exploit kit which targeted Internet Explorer, Adobe Acrobat Reader and Java, WebSense said. The dropped files installed the rogue antivirus and then demanded users pay $59.95 to remove the malware it had “found”, according to WebSense’s analysis of the kit.

According to WebSense, the dropped files have a low rate of detection by antivirus software.

Antivirus products ineffective

Antivirus solutions continue to be “ineffective” addressing online threats, Ghosh told eWEEK. Whitelisting can’t prevent malware “sneaking in through third-party ads”, and users aren’t protected when they trust their native browsers, he said.

Just keeping the antivirus definitions up-to-date is clearly not enough, as Mutton had just updated his security settings that morning before going to the stock exchange site.

“The strongest way to address this threat, and the only known solution to this problem, is to seamlessly isolate the browser from the host operating system in a clean, fully virtualised environment,” Ghosh said, referring to Invincea’s browser product that runs in a virtual machine.